Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Flask weak secret key - Vulnerability Database

Flask weak secret key

Description

Each Flask web application contains a secret key which used to sign session cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Invicti managed to guess this key.

Remediation

Change the value of SECRET_KEY to a long random string.

References

Configuration Handling
Baking Flask cookies with your secrets

Related Vulnerabilities

Mojolicious weak secret key Medium
Common tags: Configuration Weak Credentials Default Credentials Api Broken Auth
Ruby framework weak secret key High
Common tags: Configuration Weak Credentials Default Credentials Api Broken Auth
Express cookie-session weak secret key Medium
Common tags: Configuration Weak Credentials Default Credentials Api Broken Auth
Yii2 weak secret key Medium
Common tags: Configuration Weak Credentials Default Credentials Api Broken Auth
Web2py weak secret key Medium
Common tags: Configuration Weak Credentials Default Credentials Api Broken Auth

Severity

Medium

Classification

CWE-693
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
Weak Credentials
Default Credentials
Api Broken Auth